[Proposal] How to implement image policy for sealer using Kyverno #1899
Comments
|
: Sorry for the late reply. nice job 👍 And there are some suggestions for your reference:
|
|
@YTGhost Any update? |
[
{
"image": "image:tag",
"appName": "app1",
"resourceKind": "deployment",
"resourceName": "nginx-deployment",
"namespace": "default"
},
...
] |
In fact, you only need to mutate the image for the pod resources |
Yes, after some research, kyverno supports the use of regex in policies to replace them, as shown in this example: https://kyverno.io/policies/other/replace_image_registry/replace_image_registry/. So in the image list, we can replace the image according to its name |
|
well done, and then cloud you please submit a to-do list so we progress to implementation in an orderly manner? |
|
attention: We don't have the command "run app" anymore, and it is unified into the "run" command |
|
I think the implementation of this feature can be split into the following subtasks, @starnop WDYT:
|
|
great job! And I have a few minor suggestions.
BTW, the API related to the image list can be left to me to deal with. |
|
Supplement: Whether to save the container images through the build mode should be necessary. And the kyverno image policy management also depends on the API that whether the |
Issue Description
Background
The Proposal(Using Kyverno to support container runtime neutrally) was discussed at an community meeting on November 16, 2022. This proposal introduces Kubernetes Pod Policy and compares Pod Security Admission, Gatekeeper, and Kyverno, and finally determines that Kyverno can be used to implement image policy.
After the meeting, we also verified whether Kyverno supports k0s/k3s, it works well.
Implementation details
Kyverno dynamically adds Webhook by creating Policy, which can help us implement Image policy. So in fact, in terms of implementation details, we need to pay attention to two aspects:
About Policy
Format of policy configuration file
The picture above shows Kyverno’s Policy rules, we can use Namespaces, Resource Kinds and Resource Names to match the corresponding Pod.
We may need to build a user-friendly Policy configuration file, and the sealer can create a corresponding Policy based on this configuration file. And maybe through this configuration file, we can do the function of getting the mirror list together. @starnop
{ "application-list":[ { "resourceKind": "deployment", "resourceName": "nginx-deployment", "namespace": "default", "image": "nginx:1.14.2" }, ... ] }How to get the information needed to create a policy
During the build phase, sealer will cache all container images required by the cluster in the local private registry.
We can extract the application list that needs to be matched by the image policy along the way during the build process.
Where to store policy configuration file
There are currently two options, @kakaZhou719:
When is the Policy created?
Since the container at the K8s layer does not require webhook to intercept, it is sufficient to create a Policy before the container at the application layer is launched.
About Kyverno
Whether to install Kyverno
In a proprietary cloud delivery scenario, the cluster network is isolated from the outside world, so we need to cache container images to a local private repository during the build phase and pull images from the private repository uniformly when the cluster starts.
But in some case, users want to not save the container image during the build process. For example, when the cluster network is not isolated from the outside world.
So we could perhaps set up two different build modes (online and offline) during the build phase and install Kyverno in offline mode only.
When is the Kyverno installed
Based on the role Kyverno needs to play, an obvious choice would be to make it part of the base and activate it along with the base.
Type: feature request
Describe what feature you want
Additional context
taskList:
The text was updated successfully, but these errors were encountered: